Overview

overview

7

Static

static

3

305f37807b...18.exe

windows7-x64

7

305f37807b...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2024 14:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    305f37807bec7afd8e310b1334e63b5c_JaffaCakes118.exe

  • Size

    173KB

  • MD5

    305f37807bec7afd8e310b1334e63b5c

  • SHA1

    18253edd3c6799c3a58d4e1461932a442a90ff8f

  • SHA256

    5334aaef334167fc6ff2c3eae74982f4818bd609168f9f38b5ad3504db0a7480

  • SHA512

    0eecdffe24eba134241e9815b3f5b46cffd1b74a1fab9a8bfdca03aa9c63fc698f6f6af26c9cf0729c1a7a397136f1a987ca2b8c5dcd6209f33e154feaa5f444

  • SSDEEP

    3072:P+bzgbUy8RvsIz7JD2F0j4D1t53zVQRkVEJhX/4mVwujNQnc4CKH:mbzao0g7oF0j45t53zyVfX//VwWN4cs

Score
7/10
credential_accessdiscoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 36 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 27 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\305f37807bec7afd8e310b1334e63b5c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\305f37807bec7afd8e310b1334e63b5c_JaffaCakes118.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2116
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2096
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    PID:2676
  • C:\Windows\system32\dllhost.exe
    C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
    1⤵
    • Drops file in Windows directory
    PID:1644
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2544
  • C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir
    Filesize

    284KB

    MD5

    e439430997faf032bb90db4cb3cfb85d

    SHA1

    f5faec3b5a9b6a72e3434ed146fe1cf6fbf692a8

    SHA256

    d15fafd0644267bcef470fe5eb5b87aac659560e973ed4843881b06f644afddb

    SHA512

    98f9d641157b47abf6a5046488da7c77a4a80875265267bd18395926ff167635c24a0c73e8979e9614a2b28a6126bafbc5364c9da43b6a242b9e7133c380801c

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe
    Filesize

    1.2MB

    MD5

    8174bc516ba6943da8e0f2daec453f27

    SHA1

    414db3d2b6875d529a290517033fbf8002a4b319

    SHA256

    f4a842742e5554defbac5cefa75c8d8313191d0ec0b7d6a3ddeb7a1dfbb1364a

    SHA512

    a9b0a6951aa76a1cc37b470a9089237652e2c1c6f6dc9aa0200f1356e2653b0a216bc3082c14659be59657323ee890ae92338129837add13dc12e0bbdbafcb96

    Download Submit

  • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    284KB

    MD5

    40ffee3c2f8ca7592c3bdc5dc1533851

    SHA1

    7a0687aeca3636314bee87fb408644d64a6fd7a7

    SHA256

    004e5e23e80aa33f5c571bd47a2ed3b1a4d95c35d1562deacf6e80ffbda15b34

    SHA512

    d14e69ebb2534888ffc7b84a9e8b970b26494fa6c9fe445fffb4107602f3398ee07dfe47f7b4a819151cec38b8ed372e756d5a294fe9aa9c191659158cd27c11

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    Filesize

    203KB

    MD5

    6975955ff1196f01b2e6cebd9e2a2245

    SHA1

    11e3b78f62d9eded0855541c9cd0f276e254e3a5

    SHA256

    629ba16b1b5aa0aa9b5caeacb8464e5385270d9f237c58f59c47197cdc32781a

    SHA512

    db5b49c6de8d7dbc55a545be4a223a0cfbeed074a5ddfb915af75cf4ee79dde9fe6e01a5dbd2ac171add86cb04b1adc00b3fe5f41753a6c8c99a7e4b24665e53

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
    Filesize

    1003KB

    MD5

    b6f083487e3731d9a4dc377f326ee8e8

    SHA1

    1e9dd8d74cc314bec5a85505e99ccaf56e2239db

    SHA256

    01cda1a7c2d0222ac828947aaf7aa750070e91d5dfa422392e1910b20ff77fb3

    SHA512

    dd40ef9d5247d774fedabf4cf833555a80a02a282dd4a066e739831328719432799e69a02363f01706b210fabac75b9a0dd0918e49535ed303b08add335340f4

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    Filesize

    234KB

    MD5

    c6c732914e2304fcd5849477c370a609

    SHA1

    012786df00bee7ec29c8e7eb3f050bb9a760a387

    SHA256

    ce6ad341a836d1de67f9d94d29648d42d16044f3544f318d26b9423167405ffc

    SHA512

    9c9eabae7e142ec885d6765d82f1980423ebddd4673338d0cd392f5806ba21ff4f95a6f4df22100ce4432ff057d250c8cc5fe5d90d6897a320d3efa5f09f070e

    Download Submit

  • \??\c:\program files (x86)\microsoft office\office14\groove.exe
    Filesize

    29.7MB

    MD5

    e068658d58e2c1381dbcd1ec0d67dae3

    SHA1

    e9013f3d574dd833d34cbd9ec3a2fca0ce60e345

    SHA256

    c86e9bef1d8b6219f093326d1b3f684556ba8bc86db46bdff3b41910ef9ba73d

    SHA512

    ba28fc51c3721b7a72caa3ee96a1080294d3d8c3abd3811fa984a560e5893f8c9cae0a008d8b19d876b9f37e2ad450b635bfa84765e3b914e8572d3f3a45cfbd

    Download Submit

  • \??\c:\windows\SysWOW64\searchindexer.exe
    Filesize

    562KB

    MD5

    69463397cf4274e88393c16431f89499

    SHA1

    84af0606d9a318c3b2421b2d0dc975d241441621

    SHA256

    c5ce32d85313a1817f58a6e6d85603b47b017c280538f3bcb73ff72d17b69d10

    SHA512

    3fe484ae9403b645ab5c55d836e640a0b1d25a5ec1a27549d05f401b473e167c208187a1a6e2df549495894d61cbbea28fade093176a39a5a3e4b6c9d9ea6646

    Download Submit

  • \??\c:\windows\SysWOW64\svchost.exe
    Filesize

    164KB

    MD5

    03631748745a66f283e6ac5de52eb3b1

    SHA1

    a4acec58f9ac95d289dd6adbe61bb6b991f4eab6

    SHA256

    3e3431aab8fa70ae65ab3781d2bcac05c7cdabf854ce02d155c917807b867d62

    SHA512

    4ecdd58ec8c6dcbe38f6506a5ac41c4ac644beb81f2a5dc0828882474cc22bd518f0e41700a332bbc496b131c1c027bf2441e038a275d70d04f45b090c7e5325

    Download Submit

  • memory/2096-13-0x0000000010000000-0x0000000010070000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2096-22-0x0000000010000000-0x0000000010070000-memory.dmp

    Filesize

    448KB

    Download

  • memory/2096-14-0x000000001000C000-0x000000001000D000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2116-0-0x0000000001000000-0x0000000001069000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2116-2-0x0000000001000000-0x0000000001069000-memory.dmp

    Filesize

    420KB

    Download

  • memory/2116-1-0x0000000001003000-0x0000000001005000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2676-27-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2988-45-0x000000002E000000-0x000000002E086000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2988-46-0x000000002E013000-0x000000002E015000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2988-75-0x000000002E000000-0x000000002E086000-memory.dmp

    Filesize

    536KB

    Download